Privacy Policy
Last updated: 2026-05-27 Version: 1.0
1. Data controller
TakeMe, a SASU with share capital of €15,000, registered office at 229 rue de Solférino, 59800 Lille, France (SIREN 993 936 350), represented by its president Valentin Drygas.
Contact: privacy@take-me.fr
2. Data collected
2.1 Data provided directly by the user
- Identity: email, password (hashed), first name, last name, date of birth
- Freelance profile: photo, bio, profession, portfolio, indicative rates, service area (geolocation)
- Client profile: first name, city
- Communications: messages exchanged with other users, reports
- Missions: title, description, budget, dates, reviews given/received
2.2 Data collected automatically
- Technical logs: IP address (anonymised), browser, OS
- Analytics cookies (with explicit consent only): pages visited, session duration
3. Purposes
| Purpose | GDPR legal basis |
|---|---|
| Account creation and management | Performance of the contract (art. 6.1.b) |
| Client/freelance matching | Performance of the contract |
| Moderation and security | Legitimate interest (art. 6.1.f) |
| Analytics and product improvement | Consent (art. 6.1.a) |
| Transactional communications (mission emails) | Performance of the contract |
| Legal obligations | Legal obligation (art. 6.1.c) |
4. Retention period
- Account data: duration of the contractual relationship + 3 years after deletion
- Login logs: 12 months
- Mission data: 5 years (accounting obligations)
- Analytics cookies: 13 months max (CNIL)
5. Recipients
- TakeMe team (limited access)
- Supabase (hosting, EU — Germany)
- Resend (transactional email, EU)
- Sentry (error monitoring, EU)
- PostHog (analytics, EU — with consent)
- Mapbox (mapping, USA — minimised data: coordinates only)
6. Transfers outside the EU
Mapbox is hosted in the United States. The only data transmitted is the geographic coordinates needed to render the map. Contractual safeguards: Mapbox Standard Contractual Clauses (SCC).
7. Your GDPR rights
You have the following rights:
- Access: know what data is processed (JSON export available in /settings)
- Rectification: edit your data via your profile
- Erasure: delete your account (30-day grace period, then hard-delete)
- Portability: JSON export available in /settings
- Objection: refuse analytics cookies (consent banner)
- Restriction: on request to privacy@take-me.fr
- Withdraw consent: at any time via /settings
To exercise these rights: privacy@take-me.fr. Response within 1 month.
Complaints: your national data protection authority (in France: CNIL — https://www.cnil.fr/en/plaintes).
8. Security
- Hashed passwords (bcrypt)
- HTTPS enforced
- Postgres RLS (Row-Level Security) on all tables
- 2FA for administrators
9. Minors
Registration is reserved for adults (18+). Any account belonging to a minor will be deleted upon report.
10. Cookies
Categories:
- Necessary: auth session (always active)
- Analytics: PostHog (opt-in)
11. Changes
This policy may evolve. Email notification for substantial changes.